From 0a2c1fe437961eebf843a5348bcb88e70ee0ad21 Mon Sep 17 00:00:00 2001
From: chn <chn@chn.moe>
Date: Mon, 9 Jun 2025 20:54:59 +0800
Subject: [PATCH] devices.cross.secrets.acme: split

---
 .sops.yaml                         |  3 ++
 devices/cross/secrets/acme.yaml    | 62 ++++++++++++++++++++++++++++++
 devices/cross/secrets/default.yaml |  6 +--
 modules/services/acme.nix          |  2 +-
 4 files changed, 68 insertions(+), 5 deletions(-)
 create mode 100644 devices/cross/secrets/acme.yaml

diff --git a/.sops.yaml b/.sops.yaml
index 74d3ec6a..8b52c2f8 100644
--- a/.sops.yaml
+++ b/.sops.yaml
@@ -54,3 +54,6 @@ creation_rules:
   - path_regex: devices/cross/secrets/chn.yaml$
     key_groups:
     - age: [ *chn, *pc, *one, *nas ]
+  - path_regex: devices/cross/secrets/acme.yaml$
+    key_groups:
+    - age: [ *chn, *nas, *pc, *srv3, *vps4, *vps6 ]
diff --git a/devices/cross/secrets/acme.yaml b/devices/cross/secrets/acme.yaml
new file mode 100644
index 00000000..bafb179f
--- /dev/null
+++ b/devices/cross/secrets/acme.yaml
@@ -0,0 +1,62 @@
+acme:
+    token: ENC[AES256_GCM,data:EwZwX3ht+uj4tgaFQIFdt9ZlJc1xRCcYdIbdW86jI3BG0aDGo+eptQ==,iv:CDBIsVRK3XQIXZyavfDLd8Lqd9Fw+yQyi7bkgZg8ocA=,tag:u0M335ZBfBkH4MSehQTj6w==,type:str]
+sops:
+    age:
+        - recipient: age19ax6vm3pv8rph5tq3mmehd9sy9jk823tw8svsd790r0lkslycquqvlwz9m
+          enc: |
+            -----BEGIN AGE ENCRYPTED FILE-----
+            YWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSAwOFEwcjQyUmlpRDJ1WVFt
+            WUJVM29wdTFwZmNWTHNkMFpjeThCaGt0VkJjCjZ1bnNGVnF0dmdKVE1VdzJoeXJk
+            ZXM0b0NZeENMY2g0R203Rnc4Y2x3QTQKLS0tIHVPc1NuaGx5ZE92R3VTenpiRGNI
+            UWhxZVBpL1VSMVFabVJ3WWUrMjlrRTAKpya6EFm4EQ3o35C5Bdyyaw4Qys8IM2fe
+            OrA5b9xElsEhfGzkpRXkEtsbMhbbpNu0zvDBpylU8rU70tffcWh1sA==
+            -----END AGE ENCRYPTED FILE-----
+        - recipient: age19lhcwk37jmvn6z0v4dpdfh0k4u23f76twdjknc0p7atktf37rd7s4t4wj3
+          enc: |
+            -----BEGIN AGE ENCRYPTED FILE-----
+            YWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSBvdUowREVqOXBiZE02RUU2
+            RVU3MkxNVFRiaUFHQzlzdXpQNFRvanhDMGdjCm1qUytTNzAyY3g1OXI4L0hmK2Va
+            a0hJem5FNkFYTnBxbnhJT0QrbVBzdk0KLS0tIDkxeGYwTnNaUVVBa2NxT1dGWVRF
+            UE9uY2tjdE1ZTVFXSWI5czE1ZHVBV0UKYHyDTeejdMwfYW2u6r9MWZ9qJU2mTYJx
+            qK2/91+T5/paq23+gEpMJeCbCMfcws9xeaf4KgWdBr/JNgjNQ3mhyQ==
+            -----END AGE ENCRYPTED FILE-----
+        - recipient: age1ffvr5pqd2lfj24e3fh53s92z6h76fda3du4y4k6r3yjumdwvpfgqzj033a
+          enc: |
+            -----BEGIN AGE ENCRYPTED FILE-----
+            YWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSBIbjBLelBWR0ZpZEFrL3A2
+            UExIamd3aElvZUNCK2VwZVJrdHMyWGZNYnhJCnBoUlF4ZWtKMDVIYzhqUlpxZXpr
+            UlY4VnVwcFkxMzc0Q0VoQW03QU9BODQKLS0tIGtoRStxL3BFd09CMi9zT0pwZEwr
+            d0hRWnVQOWVxdGRxRXpBZGtMQ24xbm8KtlIU+T++8IQRDLXAH1pBXa6hNqHD19ti
+            AIZGn7+Eh/b6wOkndNpzLCWGVVm9yo7qMY7AzYNIz7SU/9a0JPGuGQ==
+            -----END AGE ENCRYPTED FILE-----
+        - recipient: age1n4lhfwv7g0vhx54exmwx9yv2z04m3h2lunzpa5zdzgtcvjjuf5nqc36g8a
+          enc: |
+            -----BEGIN AGE ENCRYPTED FILE-----
+            YWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSAxbFVkbjdHWm9xTlEwbzBE
+            Ky9KcjVvc0l2ZkJnOVdxVzFpUDMydDRuNWtVCmpkYXl1dG91TG84em16cFlRcG5y
+            WTBKM1VuWmV3dUlpcE1ka093aHh6REEKLS0tIC91OHF0TnhDUjlqVWcvMjl1czlm
+            YVRXZS9PRVpwNmFaY3pNT0JZNzB3R2MKHClUpTySdpU8AFNYoqT37KWkJbPgmd2+
+            UhtufEWWgSL6j/npU0yxHNcsmU5gfd45TnTxp4sSOupJUDM0B4FKlQ==
+            -----END AGE ENCRYPTED FILE-----
+        - recipient: age1yvrl4y0r6yzcxzzkgfwshlrtsjt8uuya6rfwks09pnft7esfcyvqmrtm5q
+          enc: |
+            -----BEGIN AGE ENCRYPTED FILE-----
+            YWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSBObkt4a25UcGo4MnoxOVJQ
+            WkF6elVWODYvSWw1QWtPYTJKS1gxUXRDVjNJCndNcU5GUHhMZW5uTzNpV2NtYUVh
+            K0dYNGlmRzd5ZkZVaGd3cjJFVEFSMXMKLS0tIEVRQWtaY0d3TERsV0ZNcVc0Vyty
+            WnZxTGxOY0NROU4vYTl1WWREemptaDAKhzzRPyr370b7ccTM5DE+jOczmXDqZBt5
+            fYQ04+yLjcULNhqlu52mJRH1X5Se2pXbCzEG6JFiKCEra0wiYhoo5Q==
+            -----END AGE ENCRYPTED FILE-----
+        - recipient: age164tyqklwhdm57tfm5u863mdt2xrzrrzac4py8a0j9y6kzqcjy9zsp073t6
+          enc: |
+            -----BEGIN AGE ENCRYPTED FILE-----
+            YWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSAzbjRpMWZ6eXZubjVUUlNL
+            Z0N3ZkhoeVoxVzVwMHJzQzhJVjZ5MFhTU3dFCllwVWVWbm1KMTlUcEd0empxS1J2
+            NzRSbkE5cEJLMmZCcjZBMTF0TUF2SEUKLS0tIFN6TVNEMU4rVVl1OEdzWGJSRmdl
+            cndmbU16NkRmMHo5ZlJYMUFBUmlIZDQKNVXn3/twQKZC+74tRlpG2wx0hLEZuuka
+            DKtNg6nnhd/UsVNF6/MSTwjnwXeilNemV7ffAbSE4tixcfBV3niILg==
+            -----END AGE ENCRYPTED FILE-----
+    lastmodified: "2025-06-09T12:53:40Z"
+    mac: ENC[AES256_GCM,data:0Hj24jM82Crv9cCiCOtcdcdTXAQ/kTW34bgiqOByFpI4eC0GMFg9yxCIz7xd115YZOSyaUqB6rBeJdzpE2f9mwVmqo2J6R7F9W4g+c+4zqQM7BPWpaq38+j1iHbo6jaJWaxMASZCAEbsrpuAFak+q6Ndbb1J7HHi3b1sqYszuZI=,iv:Wc8lIgMgczpg/8oeSXJY8BlR7PRdLvUwjuGrg3zRDtQ=,tag:xLv8Uc8iruo+DDn8uc5AZg==,type:str]
+    unencrypted_suffix: _unencrypted
+    version: 3.10.2
diff --git a/devices/cross/secrets/default.yaml b/devices/cross/secrets/default.yaml
index 59d5b038..292b970c 100644
--- a/devices/cross/secrets/default.yaml
+++ b/devices/cross/secrets/default.yaml
@@ -35,8 +35,6 @@ telegram:
     user:
         chn: ENC[AES256_GCM,data:mTt2D+SkvVL8,iv:L0Pk5p46E2kKBdRWCGpwOKS0BsbIhZUslpIFWvkssMY=,tag:+AjbNJ1SW/8Mx1HLpWAd2w==,type:str]
         hjp: ENC[AES256_GCM,data:ZXTQhax0gT4PKw==,iv:MerbaWWC4SLazEuuJrxAxf9e5aaX9xpq9St+h9aqvMQ=,tag:x9knShK90OKZPcn9fKzvMA==,type:str]
-acme:
-    token: ENC[AES256_GCM,data:M8/R019chds8zr2BqnRnKP40NZxwq4fz06NaOeOOFYecLyDjIOq5mg==,iv:VPr4XD0Y+6G1P1xwMDyrWPiTvCYdiMV0nPcmqCvIA3Y=,tag:KEyCIHRmRkNviA4bMTMybg==,type:str]
 nginx:
     maxmind-license: ENC[AES256_GCM,data:MtmNo6hHlU75N6PvzF7P5i6Q+myV4Keb1JRXVeHxTennNpKfAndsKg==,iv:DqM91JX+1WX8Zqzha2Tm3ztFaSzKYQg+b9NvUm+6jxY=,tag:XnDTBL9MA/B8XfPZqdk7Eg==,type:str]
 sops:
@@ -176,7 +174,7 @@ sops:
             UnR5Y24rSTk3WUV1VUgvQUFCVUxPZUEKv/lTy02gZYn4jF1uGtm+LhJd0m59Xe99
             +unmqUDh0ZqAhJU8o0jrBiWs1lXOHU7CkIom7tGEMHGUxHkS+Z/6GQ==
             -----END AGE ENCRYPTED FILE-----
-    lastmodified: "2025-06-05T02:24:04Z"
-    mac: ENC[AES256_GCM,data:bdiWl2Un3IzYZx5vRcrxptfgJZl63qN/7ZosNNqiNlUU2vfyEQhOvXNxjRRgHI1HCBiqKdecKLC1qQyTHVhCTovjdciqlAMSLIQ1QFoq0+FVMagp8JXocfrxeyzyY8z4z7ACJc9MFtZ1ueBy+bqjlX7ArgGyltoGy2UsiJK6q40=,iv:RsOod/sQa/cHf72z/+neU4W87CDXD5U3b5aH4ArKVLo=,tag:K3Zl6X0bslhvwVjeqRSVnw==,type:str]
+    lastmodified: "2025-06-09T12:54:56Z"
+    mac: ENC[AES256_GCM,data:pAJ1mr02yp41jTcvy56OCUvJZh0NJXqAj582F85eevOIVy/GKQyvBonSkT0vN85q8UXw6tsNBpSqLi5MEoP2QhSP6x6mMZ6fHHGtkhw2ROmuTcfGdHDIq0SMU6arukEVDFlVsoneNXUUmdvwDjxAGv4qf7sI4ynPwu0V9xurYiI=,iv:ZuCObomHvfEPEKnepRyTOiojOEh6mfWW+bF/ytsTqiU=,tag:k0WuI8eewWeCQkiXDisjZw==,type:str]
     unencrypted_suffix: _unencrypted
     version: 3.10.2
diff --git a/modules/services/acme.nix b/modules/services/acme.nix
index 87ece072..59a53fca 100644
--- a/modules/services/acme.nix
+++ b/modules/services/acme.nix
@@ -48,7 +48,7 @@ inputs:
         CLOUDFLARE_DNS_API_TOKEN=${inputs.config.sops.placeholder."acme/token"}
         CLOUDFLARE_PROPAGATION_TIMEOUT=300
       '';
-      secrets."acme/token".sopsFile = "${inputs.config.nixos.system.sops.crossSopsDir}/default.yaml";
+      secrets."acme/token".sopsFile = "${inputs.config.nixos.system.sops.crossSopsDir}/acme.yaml";
     };
   };
 }